Body
Some campus users have a requirement for administrator access to their personally assigned, campus owned computer. This level of access is granted by request. It is important that end users realize the security implications of having administrator access to a computer. This document aims to outline the use and security of the administrator account.
1. There are two types of administrator account.
Most campus users who have administrator accounts that were created before 1/1/2020 will have an account that exists only on a specific computer. These are computer-based administrator accounts. Many users who received a local administrator account after 1/1/2020 have received a domain-based administrator account that can be used on multiple, individually identified computers.
The naming convention for local administrator accounts is to add the suffix _a to a person's already existing domain logon account. For example, if user bsmith is issued an administrator account, the account name will be bsmith_a
If a person is issued a administrator account that exists only a single computer, then the prefix .\ is placed in front of the user ID. For example, .\bsmith_a
If a person is issued a domain-based local administrator account, the prefix will be ADIT\ For example, ADIT\bsmith_a
Which type of account do I need?
If you need to administrate multiple computers that are members of the ADIT domain, the a domain-based administrator account is the best option. You can use the one set of credentials to access multiple computers. At the time that you submit a request for a domain-based administrator account, you'll have to provide the names of all of the computers for which you need administrator access so that ITS can configure those computers to accept your domain-based administrator account.
If you need to administrate a single computer, such as your CSM owned laptop, then either a domain-based or computer-based administrator account will work equally as well. Both types of accounts have the same level of rights on the computer. It is simpler to change the password for a computer-based administrator account than it is for a domain-based administrator account.
2. There is normally no need to log on to a computer with the administrator account.
The purpose of having an administrator account is so that you may make changes to your own campus owned computer, or a group of computers which you manage. Most system changes and software installations require this access. However, it is not necessary in the majority of cases for you to log on directly with the administrator account to make changes. For the best level of security, you should always log on to a computer with your normal ADIT user account.
When you log on to a computer with the administrator account, then all the programs and processes launched in your user session are running at administrator level. What this means is that if you get attacked by a Trojan or a virus while logged on as administrator, then the Trojan or virus may have much greater access to your system than normal.
If you are logged on with your normal ADIT user account and you need to make a system change that requires administrator access, then entering your administrator credentials when needed for the requested process to complete results in only the requested process running at administrator level while the rest of your session remains running at normal user level. This is the more secure way to use your computer.
If for example you are logged on to your computer with your administrator account and inadvertently access a malicious web site that tries to make a change to your system you may never know the change has been made. Since you're already logged on as administrator, the system may make the change without your intervention. If however you are always logged on with your normal ADIT user account, you will always be prompted by the Windows User Account Control dialog box whenever a system change is attempted.
If the User Account Control dialog box pops up when you are trying to change something, this is normal. If however you are working on your computer and the User Account Control dialog box pops-up unexpectedly, this is a Red Flag. You should carefully weigh what is being prompted for and decide appropriately if you want to allow the process to continue. If in doubt, contact ITS for assistance.
3. Using the administrator account.
When you try to make a system change that requires administrator approval, Windows' User Account Control system will blank the screen and pop up a dialog box asking for the ID and password of the administrator account.
In our example above, you'll notice the "Domain: ADIT" notation below the Password entry field. This indicates that the computer is expecting you to enter a domain-based administrator account.
For example, if you were issued a domain-based Administrator account, you can enter ADIT\ImaAdmin_a, or just ImaAdmin_a into the user name field. However, if you have a computer-based administrator account, you must let the computer know that it is not a domain account.
To do that, you must be sure to include the prefix .\ to the administrator account name. For example: .\ImaAdmin_a
In this example above, the "Domain: ADIT" changed to "Domain: CN-TEST01" When one enters .\ in the User name field, the computer switches from looking for a domain-based administrator account to a computer-based administrator account that exists only on this single computer (In this case, our computer's host name is CN-TEST01).
Most often, the Windows User Account Control dialog will pop-open and already contain the user ID or full name of the currently logged on user. In the example below, I am logged on to the computer with my normal ADIT account and I want to launch the Management Console, which requires administrator rights.
Notice that my regular ADIT account is already populated in the dialog and displays as my full name. To switch to the administrator account, you must select the "More choices" link. The dialog box will expand and show a list of other user accounts. You'll select the "Use a different account" option at the bottom of the list. Sometimes, the "Use a different account" option is not visible because the list of accounts is too long. In those cases, you must scroll down to the bottom of the list to find it.
Once you click on "Use a different account", the dialog box will change to show the user name and password input fields.
Notice again, that the "Domain: ADIT" is set by default. Again, a domain-based administrator account may be entered as either ADIT\ImaAdmin_a or simply ImaAdmin_a and a computer-based administrator account must have the .\ prefixed to the user name as in .\ImaAdmin_a
A domain-based administrator account:
- OR -
A computer-based administrator account:
If you enter the wrong credentials, the process will repeat until you enter the correct credentials or cancel the process.
4. Changing the administrator account password.
The password for a computer-based administrator account will never change unless you decide to change it. The holder of a domain-based administrator account will periodically be prompted to change the password to that account. To change either type of account's password, the process is similar.
A. Changing a domain-based administrator account:
First, you must log on to the computer while the computer is connected to the CSM network. Because the account is managed by the domain, the computer needs to be connected to the campus network in order authenticate your account. If you are off-campus, then a VPN connection must first be established before attempting this process.
Once logged on with the domain-based administrator account, press the <CTRL> <ALT> <DEL> keys simultaneously. Windows will blank the screen and present the following menu.
Select the "Change a password" option.
The following screen appears:
By default, the currently logged-on user name is pre-populated in the user name field. You must first enter your current password in the "Old password" field and then enter your new password in the "New password" and "Confirm password" fields. Then click your mouse on the arrow button at the right-hand edge of the "Confirm password" field.
If you enter the current (Old password) incorrectly, you will see the following error:
If your new password does not meet the requirements of the Mines password policy you will see the following screen:
The Mines password policy requires that a password:
1. Must be at least 10 characters in length.
2. No more than 64 characters in length.
3. Must contain at least one digit (number).
4. Must contain at least one uppercase letter.
5. Must contain at least one symbol such as: ! # $ % & ( ) + - /
Assuming the existing password is entered correctly, and the new password meets requirements, you will see:
B. Changing the computer-based administrator account password.
Since a computer-based administrator account is not managed by the ADIT domain, it is not necessary to have any network connection in order to change the password. The process is otherwise the same as changing a domain-based administrator password.
2020.04.23 - dkearney
2022.03.21 - Updated - dkearney